Skip to main content
Deploy OpenClaw to production servers with openclaw-ansible, an automated installer with a security-first architecture.
The openclaw-ansible repo is the source of truth for Ansible deployment. This page is a quick overview.

Prerequisites

What you get

  • Firewall-first security: UFW + Docker isolation (only SSH + Tailscale reachable)
  • Tailscale VPN for remote access without exposing services publicly
  • Docker for isolated sandbox containers with localhost-only bindings
  • Systemd integration with hardening, auto-starting on boot
  • One-command setup

Quick start

What gets installed

  1. Tailscale (mesh VPN for secure remote access)
  2. UFW firewall (SSH + Tailscale ports only)
  3. Docker CE + Compose V2 (default agent sandbox backend)
  4. Node.js and pnpm (OpenClaw requires Node 22.22.3+, 24.15+, or 25.9+; Node 24 is recommended)
  5. OpenClaw, installed host-based, not containerized
  6. A systemd service with security hardening
The gateway runs directly on the host, not in Docker. Agent sandboxing is optional; this playbook installs Docker because it is the default sandbox backend. See Sandboxing for other backends.

Post-install setup

1

Switch to the openclaw user

2

Run the onboarding wizard

The post-install script guides you through configuring OpenClaw.
3

Connect messaging channels

Log in to WhatsApp, Telegram, Discord, or Signal:
4

Verify the installation

5

Connect to Tailscale

Join your VPN mesh for secure remote access.

Quick commands

Security architecture

Four-layer defense model:
  1. Firewall (UFW): only SSH (22) and Tailscale (41641/udp) exposed publicly
  2. VPN (Tailscale): gateway reachable only via the VPN mesh
  3. Docker isolation: DOCKER-USER iptables chain prevents external port exposure
  4. Systemd hardening: NoNewPrivileges, PrivateTmp, unprivileged user
Verify your external attack surface:
Only port 22 (SSH) should be open. Gateway and Docker stay locked down. Docker is installed for agent sandboxes (isolated tool execution), not for running the gateway. See Multi-Agent Sandbox and Tools for sandbox configuration.

Manual installation

1

Install prerequisites

2

Clone the repository

3

Install Ansible collections

4

Run the playbook

Or run the playbook directly and then run the setup script manually:

Updating

The Ansible installer sets up OpenClaw for manual updates; see Updating for the standard flow. To re-run the playbook (for example, after configuration changes):
This is idempotent and safe to run multiple times.

Troubleshooting

  • Connect via Tailscale VPN first; the gateway is only reachable that way by design.
  • SSH (port 22) is always allowed.
Make sure you are running as the openclaw user:

Advanced configuration

For detailed security architecture and troubleshooting, see the openclaw-ansible repo: